[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Tzu-Jung Lee]

We ran into a "Login incorrect" problem when running the same rootfs
image across platforms with different loging ports ttyS0/1/2/3.

Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
turn modifies the /etc/inittab, is not enough because the "console" device
was missing in the /etc/securetty.

While current securetty has enumerated a lot of ttys, this patch should save
some efforts to enumerate more.

Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
---
 system/system.mk | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/system/system.mk b/system/system.mk
index 44a33ae..67d3113 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -40,6 +40,9 @@ target-generic-do-remount-rw:
 target-generic-dont-remount-rw:
 	$(SED) '/^[^#].*# REMOUNT_ROOTFS_RW$$/s~^~#~' $(TARGET_DIR)/etc/inittab
 
+target-generic-securetty:
+	grep -q $(TARGET_GENERIC_GETTY) $(TARGET_DIR)/etc/securetty || echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty
+
 ifneq ($(TARGET_GENERIC_HOSTNAME),)
 TARGETS += target-generic-hostname
 endif
@@ -60,4 +63,7 @@ TARGETS += target-generic-do-remount-rw
 else
 TARGETS += target-generic-dont-remount-rw
 endif
+ifneq ($(TARGET_GENERIC_GETTY),)
+TARGETS += target-generic-securetty
+endif
 endif
-- 
1.8.2.1

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Peter Korsgaard]

>>>>> "Spenser" == Spenser Gilliland <spenser@gillilanding.com> writes:

 Spenser> From: Tzu-Jung Lee <tjlee@ambarella.com>

 Spenser> We ran into a "Login incorrect" problem when running the same
 Spenser> rootfs image across platforms with different loging ports
 Spenser> ttyS0/1/2/3.

 Spenser> Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT,
 Spenser> which in turn modifies the /etc/inittab, is not enough because
 Spenser> the "console" device was missing in the /etc/securetty.

 Spenser> While current securetty has enumerated a lot of ttys, this
 Spenser> patch should save some efforts to enumerate more.

 Spenser> Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
 Spenser> Signed-off-by: Spenser Gilliland <spenser@gillilanding.com>
 Spenser> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
 Spenser> ---
 
 Spenser> +target-generic-securetty:
 Spenser> +	grep -q ^$(TARGET_GENERIC_GETTY)$$ $(TARGET_DIR)/etc/securetty || \
 Spenser> +		echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty

I prefer to stick the TARGET_GENERIC_GETTY value inside single quotes to
ensure the shell won't get confused.

Committed to next with that corrected, thanks.

-- 
Bye, Peter Korsgaard

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Spenser Gilliland]

On Sun, May 26, 2013 at 3:40 PM, Spenser Gilliland
<spenser@gillilanding.com> wrote:
> From: Tzu-Jung Lee <tjlee@ambarella.com>
>
> We ran into a "Login incorrect" problem when running the same rootfs
> image across platforms with different loging ports ttyS0/1/2/3.
>
> Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
> turn modifies the /etc/inittab, is not enough because the "console" device
> was missing in the /etc/securetty.
>
> While current securetty has enumerated a lot of ttys, this patch should save
> some efforts to enumerate more.
>
> Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
> Signed-off-by: Spenser Gilliland <spenser@gillilanding.com>
> Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
> ---
>  support/scripts/graph-depends |    1 +
>  system/system.mk              |    8 ++++++++
>  2 files changed, 9 insertions(+)
>
> diff --git a/support/scripts/graph-depends b/support/scripts/graph-depends
> index 50b8670..ac24086 100755
> --- a/support/scripts/graph-depends
> +++ b/support/scripts/graph-depends
> @@ -161,6 +161,7 @@ def remove_redundant_deps(deps):
>      return newdeps
>
>  TARGET_EXCEPTIONS = [
> +    "target-generic-securetty",
>      "target-generic-issue",
>      "target-generic-getty-busybox",
>      "target-generic-do-remount-rw",
> diff --git a/system/system.mk b/system/system.mk
> index 44a33ae..3e11a51 100644
> --- a/system/system.mk
> +++ b/system/system.mk
> @@ -9,6 +9,10 @@ TARGET_GENERIC_GETTY:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
>  TARGET_GENERIC_GETTY_BAUDRATE:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
>  TARGET_GENERIC_GETTY_TERM:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_TERM))
>
> +target-generic-securetty:
> +       grep -q ^$(TARGET_GENERIC_GETTY)$$ $(TARGET_DIR)/etc/securetty || \
> +               echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty
> +
>  target-generic-hostname:
>         mkdir -p $(TARGET_DIR)/etc
>         echo "$(TARGET_GENERIC_HOSTNAME)" > $(TARGET_DIR)/etc/hostname
> @@ -40,6 +44,10 @@ target-generic-do-remount-rw:
>  target-generic-dont-remount-rw:
>         $(SED) '/^[^#].*# REMOUNT_ROOTFS_RW$$/s~^~#~' $(TARGET_DIR)/etc/inittab
>
> +ifneq ($(TARGET_GENERIC_GETTY),)
> +TARGETS += target-generic-securetty
> +endif
> +
>  ifneq ($(TARGET_GENERIC_HOSTNAME),)
>  TARGETS += target-generic-hostname
>  endif
> --
> 1.7.9.5
>

Thomas,

Sorry, about that. That was actually an artifact from before I tested
it.  The patch above should work and I've included the changes you
asked for.

It's $$ for a single $ in make.

Spenser

--
Spenser Gilliland
Computer Engineer
Doctoral Candidate

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Spenser Gilliland]

From: Tzu-Jung Lee <tjlee@ambarella.com>

We ran into a "Login incorrect" problem when running the same rootfs
image across platforms with different loging ports ttyS0/1/2/3.

Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
turn modifies the /etc/inittab, is not enough because the "console" device
was missing in the /etc/securetty.

While current securetty has enumerated a lot of ttys, this patch should save
some efforts to enumerate more.

Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
Signed-off-by: Spenser Gilliland <spenser@gillilanding.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
 support/scripts/graph-depends |    1 +
 system/system.mk              |    8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/support/scripts/graph-depends b/support/scripts/graph-depends
index 50b8670..ac24086 100755
--- a/support/scripts/graph-depends
+++ b/support/scripts/graph-depends
@@ -161,6 +161,7 @@ def remove_redundant_deps(deps):
     return newdeps
 
 TARGET_EXCEPTIONS = [
+    "target-generic-securetty",
     "target-generic-issue",
     "target-generic-getty-busybox",
     "target-generic-do-remount-rw",
diff --git a/system/system.mk b/system/system.mk
index 44a33ae..3e11a51 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -9,6 +9,10 @@ TARGET_GENERIC_GETTY:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
 TARGET_GENERIC_GETTY_BAUDRATE:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
 TARGET_GENERIC_GETTY_TERM:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_TERM))
 
+target-generic-securetty:
+	grep -q ^$(TARGET_GENERIC_GETTY)$$ $(TARGET_DIR)/etc/securetty || \
+		echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty
+
 target-generic-hostname:
 	mkdir -p $(TARGET_DIR)/etc
 	echo "$(TARGET_GENERIC_HOSTNAME)" > $(TARGET_DIR)/etc/hostname
@@ -40,6 +44,10 @@ target-generic-do-remount-rw:
 target-generic-dont-remount-rw:
 	$(SED) '/^[^#].*# REMOUNT_ROOTFS_RW$$/s~^~#~' $(TARGET_DIR)/etc/inittab
 
+ifneq ($(TARGET_GENERIC_GETTY),)
+TARGETS += target-generic-securetty
+endif
+
 ifneq ($(TARGET_GENERIC_HOSTNAME),)
 TARGETS += target-generic-hostname
 endif
-- 
1.7.9.5

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Thomas Petazzoni]

Dear Spenser Gilliland,

On Sun, 26 May 2013 15:14:29 -0500, Spenser Gilliland wrote:

> Change-Id: Ifb1239c80eb86528345b24eb8d04b52b67aa1209

Please remove this.

> +target-generic-securetty:
> +	grep -q ^$(TARGET_GENERIC_GETTY)$ $(TARGET_DIR)/etc/securetty || \
> +		echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty

I'm not a make/shell expansion guru. Does the ^ and $ propagate all the
well to the shell and into the regexp matched by grep?

> +ifneq ($(TARGET_GENERIC_GETTY), )

No space for the test:

ifneq ($(TARGET_GENERIC_GETTY),)

Thanks,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Spenser Gilliland]

From: Tzu-Jung Lee <tjlee@ambarella.com>

We ran into a "Login incorrect" problem when running the same rootfs
image across platforms with different loging ports ttyS0/1/2/3.

Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
turn modifies the /etc/inittab, is not enough because the "console" device
was missing in the /etc/securetty.

While current securetty has enumerated a lot of ttys, this patch should save
some efforts to enumerate more.

Change-Id: Ifb1239c80eb86528345b24eb8d04b52b67aa1209
Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
Signed-off-by: Spenser Gilliland <spenser@gillilanding.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
---
 support/scripts/graph-depends |    1 +
 system/system.mk              |    8 ++++++++
 2 files changed, 9 insertions(+)

diff --git a/support/scripts/graph-depends b/support/scripts/graph-depends
index 50b8670..ac24086 100755
--- a/support/scripts/graph-depends
+++ b/support/scripts/graph-depends
@@ -161,6 +161,7 @@ def remove_redundant_deps(deps):
     return newdeps
 
 TARGET_EXCEPTIONS = [
+    "target-generic-securetty",
     "target-generic-issue",
     "target-generic-getty-busybox",
     "target-generic-do-remount-rw",
diff --git a/system/system.mk b/system/system.mk
index 44a33ae..04ad12d 100644
--- a/system/system.mk
+++ b/system/system.mk
@@ -9,6 +9,10 @@ TARGET_GENERIC_GETTY:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_PORT))
 TARGET_GENERIC_GETTY_BAUDRATE:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_BAUDRATE))
 TARGET_GENERIC_GETTY_TERM:=$(call qstrip,$(BR2_TARGET_GENERIC_GETTY_TERM))
 
+target-generic-securetty:
+	grep -q ^$(TARGET_GENERIC_GETTY)$ $(TARGET_DIR)/etc/securetty || \
+		echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty
+
 target-generic-hostname:
 	mkdir -p $(TARGET_DIR)/etc
 	echo "$(TARGET_GENERIC_HOSTNAME)" > $(TARGET_DIR)/etc/hostname
@@ -40,6 +44,10 @@ target-generic-do-remount-rw:
 target-generic-dont-remount-rw:
 	$(SED) '/^[^#].*# REMOUNT_ROOTFS_RW$$/s~^~#~' $(TARGET_DIR)/etc/inittab
 
+ifneq ($(TARGET_GENERIC_GETTY), )
+TARGETS += target-generic-securetty
+endif
+
 ifneq ($(TARGET_GENERIC_HOSTNAME),)
 TARGETS += target-generic-hostname
 endif
-- 
1.7.9.5

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Tzu-Jung Lee]

On Sun, Jul 15, 2012 at 8:28 AM, Arnout Vandecappelle <arnout@mind.be> wrote:
> On 07/15/12 01:08, Thomas Petazzoni wrote:
>>
>> Le Sat, 14 Jul 2012 23:20:50 +0200,
>> Arnout Vandecappelle<arnout@mind.be>  a ?crit :
>>
>> >    I wouldn't like that.  I often use the default skeleton but override
>> > e.g.
>> > inittab in the post-build script.  I can't be bothered with setting
>> > BR2_TARGET_GENERIC_GETTY_PORT to empty.  So the result is
>> > that a /etc/securetty would be created which bears no relation with
>> > the actual login ports defined in inittab...  And all this happens on
>> > the
>> > sly, without any consent from the user or warning in the config menus.
>> >
>> >    Bottom line: automatically adding BR2_TARGET_GENERIC_GETTY_PORT
>> > to securetty is OK for me, but emptying it is not.
>>
>> Hmm, ok. But if you're modifying the inittab through a post-build
>> script, we could also say that it's your responsibility to also
>> adjust /etc/securetty accordingly, no?
>
>
>  Maybe, but if the securetty file isn't even part of the skeleton it's less
> obvious.  But more importantly: people will send questions to the mailing
> list asking why they can't log in into their buildroot system...
>
>
>> I don't have a strong opinion here, just trying to find the right
>> balance.
>>
>> >    BTW I can't think of many circumstances where securetty makes sense
>> > on an embedded system to begin with: why would you allow shell login
>> > on some port but not root login?
>> Is removing /etc/securetty sufficient? Both for Busybox getty, the
>> full-featured getty, and things like dropbear, openssh, telnet and al?
>> I think telnet needs pts/[0-n] to be in /etc/securetty otherwise it
>> doesn't allow root login.
>
>
>  I did a search for securetty in a build of an allyesconfig, and only found
> it in
> util-linux and busybox.  And I verified (by source code inspection) that
> util-linux
> accepts an absent securetty.
>
>  pam has a securetty module, but we don't support pam yet.  And anyway:
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l113>
> if (stat(SECURETTY_FILE, &ttyfileinfo)) {
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l114>
> pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l115>
> return PAM_SUCCESS; /* for compatibility with old securetty handling,
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l116>
> this needs to succeed.  But we still log the
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l117>
> error. */
> <http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l118>
> }

Hi Guys,

Sorry for the late follow-ups, but it seems that the original patch
should be okay for being merged, right?
Or any other way can I make an improvement?

Thanks,
Roy

--
And sorry to Arnout for duplicating the mails because I forgot to
include the mailiing list...

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Arnout Vandecappelle]

On 07/15/12 01:08, Thomas Petazzoni wrote:
> Le Sat, 14 Jul 2012 23:20:50 +0200,
> Arnout Vandecappelle<arnout@mind.be>  a ?crit :
>
> >    I wouldn't like that.  I often use the default skeleton but override e.g.
> > inittab in the post-build script.  I can't be bothered with setting
> > BR2_TARGET_GENERIC_GETTY_PORT to empty.  So the result is
> > that a /etc/securetty would be created which bears no relation with
> > the actual login ports defined in inittab...  And all this happens on the
> > sly, without any consent from the user or warning in the config menus.
> >
> >    Bottom line: automatically adding BR2_TARGET_GENERIC_GETTY_PORT
> > to securetty is OK for me, but emptying it is not.
>
> Hmm, ok. But if you're modifying the inittab through a post-build
> script, we could also say that it's your responsibility to also
> adjust /etc/securetty accordingly, no?

  Maybe, but if the securetty file isn't even part of the skeleton it's less
obvious.  But more importantly: people will send questions to the mailing
list asking why they can't log in into their buildroot system...

> I don't have a strong opinion here, just trying to find the right
> balance.
>
> >    BTW I can't think of many circumstances where securetty makes sense
> > on an embedded system to begin with: why would you allow shell login
> > on some port but not root login?
> Is removing /etc/securetty sufficient? Both for Busybox getty, the
> full-featured getty, and things like dropbear, openssh, telnet and al?
> I think telnet needs pts/[0-n] to be in /etc/securetty otherwise it
> doesn't allow root login.

  I did a search for securetty in a build of an allyesconfig, and only found it in
util-linux and busybox.  And I verified (by source code inspection) that util-linux
accepts an absent securetty.

  pam has a securetty module, but we don't support pam yet.  And anyway:
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l113>  
if (stat(SECURETTY_FILE, &ttyfileinfo)) {
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l114>      
pam_syslog(pamh, LOG_NOTICE, "Couldn't open %s: %m", SECURETTY_FILE);
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l115>    
return PAM_SUCCESS; /* for compatibility with old securetty handling,
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l116>                           
this needs to succeed.  But we still log the
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l117>                           
error. */
<http://git.fedorahosted.org/git?p=linux-pam.git;a=blob;f=modules/pam_securetty/pam_securetty.c;h=5f2d1bec32c98fe8e3cbf437aec105d8b28dcfc9;hb=HEAD#l118>  
}

  Regards,
  Arnout
-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Thomas Petazzoni]

Le Sat, 14 Jul 2012 23:20:50 +0200,
Arnout Vandecappelle <arnout@mind.be> a ?crit :

>   I wouldn't like that.  I often use the default skeleton but override e.g.
> inittab in the post-build script.  I can't be bothered with setting
> BR2_TARGET_GENERIC_GETTY_PORT to empty.  So the result is
> that a /etc/securetty would be created which bears no relation with
> the actual login ports defined in inittab...  And all this happens on the
> sly, without any consent from the user or warning in the config menus.
> 
>   Bottom line: automatically adding BR2_TARGET_GENERIC_GETTY_PORT
> to securetty is OK for me, but emptying it is not.

Hmm, ok. But if you're modifying the inittab through a post-build
script, we could also say that it's your responsibility to also
adjust /etc/securetty accordingly, no?

I don't have a strong opinion here, just trying to find the right
balance.

>   BTW I can't think of many circumstances where securetty makes sense
> on an embedded system to begin with: why would you allow shell login
> on some port but not root login?

Is removing /etc/securetty sufficient? Both for Busybox getty, the
full-featured getty, and things like dropbear, openssh, telnet and al?
I think telnet needs pts/[0-n] to be in /etc/securetty otherwise it
doesn't allow root login.

Regards,

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Arnout Vandecappelle]

On 07/14/12 19:15, Thomas Petazzoni wrote:
> Le Sat, 14 Jul 2012 18:56:51 +0200,
> Arnout Vandecappelle<arnout@mind.be>  a ?crit :
>
> >    But perhaps it's even better to remove securetty completely?  If it just
> > enumerates all possible ttys (even non-existent ones), it doesn't really add
> > security...  (Note: I haven't verified if util-linux's login allows root login if
> > /etc/securetty is missing.)
>
> Or we just add the tty that is selected to have the getty on (i.e the
> skeleton would no longer have a etc/securetty file, and it would only
> be created with one entry, as done by the patch being discussed).

  I wouldn't like that.  I often use the default skeleton but override e.g.
inittab in the post-build script.  I can't be bothered with setting
BR2_TARGET_GENERIC_GETTY_PORT to empty.  So the result is
that a /etc/securetty would be created which bears no relation with
the actual login ports defined in inittab...  And all this happens on the
sly, without any consent from the user or warning in the config menus.

  Bottom line: automatically adding BR2_TARGET_GENERIC_GETTY_PORT
to securetty is OK for me, but emptying it is not.

  BTW I can't think of many circumstances where securetty makes sense
on an embedded system to begin with: why would you allow shell login
on some port but not root login?

  Regards,
  Arnout
-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Thomas Petazzoni]

Le Sat, 14 Jul 2012 18:56:51 +0200,
Arnout Vandecappelle <arnout@mind.be> a ?crit :

>   But perhaps it's even better to remove securetty completely?  If it just
> enumerates all possible ttys (even non-existent ones), it doesn't really add
> security...  (Note: I haven't verified if util-linux's login allows root login if
> /etc/securetty is missing.)

Or we just add the tty that is selected to have the getty on (i.e the
skeleton would no longer have a etc/securetty file, and it would only
be created with one entry, as done by the patch being discussed).

Thomas
-- 
Thomas Petazzoni, Free Electrons
Kernel, drivers, real-time and embedded Linux
development, consulting, training and support.
http://free-electrons.com

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[Arnout Vandecappelle]

On 07/13/12 05:19, roylee17 at gmail.com wrote:
> From: Tzu-Jung Lee<tjlee@ambarella.com>
>
> We ran into a "Login incorrect" problem when running the same rootfs
> image across platforms with different loging ports ttyS0/1/2/3.
>
> Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
> turn modifies the /etc/inittab, is not enough because the "console" device
> was missing in the /etc/securetty.
>
> While current securetty has enumerated a lot of ttys, this patch should save
> some efforts to enumerate more.
>
> Change-Id: Ifb1239c80eb86528345b24eb8d04b52b67aa1209
> Signed-off-by: Tzu-Jung Lee<tjlee@ambarella.com>
Acked-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>

  But perhaps it's even better to remove securetty completely?  If it just
enumerates all possible ttys (even non-existent ones), it doesn't really add
security...  (Note: I haven't verified if util-linux's login allows root login if
/etc/securetty is missing.)


  Regards,
  Arnout
-- 
Arnout Vandecappelle                               arnout at mind be
Senior Embedded Software Architect                 +32-16-286540
Essensium/Mind                                     http://www.mind.be
G.Geenslaan 9, 3001 Leuven, Belgium                BE 872 984 063 RPR Leuven
LinkedIn profile: http://www.linkedin.com/in/arnoutvandecappelle
GPG fingerprint:  7CB5 E4CC 6C2E EFD4 6E3D A754 F963 ECAB 2450 2F1F

[Buildroot] [PATCH 1/1] skeleton: add default login port to /etc/securetty

[roylee17 at gmail.com]

From: Tzu-Jung Lee <tjlee@ambarella.com>

We ran into a "Login incorrect" problem when running the same rootfs
image across platforms with different loging ports ttyS0/1/2/3.

Simply assignning "console" to BR2_TARGET_GENERIC_GETTY_PORT, which in
turn modifies the /etc/inittab, is not enough because the "console" device
was missing in the /etc/securetty.

While current securetty has enumerated a lot of ttys, this patch should save
some efforts to enumerate more.

Change-Id: Ifb1239c80eb86528345b24eb8d04b52b67aa1209
Signed-off-by: Tzu-Jung Lee <tjlee@ambarella.com>
---
 target/generic/Makefile.in |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/target/generic/Makefile.in b/target/generic/Makefile.in
index 4185202..571b54a 100644
--- a/target/generic/Makefile.in
+++ b/target/generic/Makefile.in
@@ -31,6 +31,9 @@ target-generic-do-remount-rw:
 target-generic-dont-remount-rw:
 	$(SED) '/^[^#].*# REMOUNT_ROOTFS_RW$$/s~^~#~' $(TARGET_DIR)/etc/inittab
 
+target-generic-securetty:
+	grep -q $(TARGET_GENERIC_GETTY) $(TARGET_DIR)/etc/securetty || echo $(TARGET_GENERIC_GETTY) >> $(TARGET_DIR)/etc/securetty
+
 ifneq ($(TARGET_GENERIC_HOSTNAME),)
 TARGETS += target-generic-hostname
 endif
@@ -50,4 +53,7 @@ TARGETS += target-generic-do-remount-rw
 else
 TARGETS += target-generic-dont-remount-rw
 endif
+ifneq ($(TARGET_GENERIC_GETTY),)
+TARGETS += target-generic-securetty
+endif
 endif
-- 
1.7.8.6